You are here

What Can We Learn from a Cyberattack on The Onion?

Joel Snyder, Ph.D., is a senior IT consultant with 30 years of practice. An internationally recognized expert in the areas of security, messaging and networks, Dr. Snyder is a popular speaker and author and is known for his unbiased and comprehensive tests of security and networking products. His clients include major organizations on six continents.

As IT managers are discovering, there are some things organizations just can’t protect against.

Traditional network security and anti-malware is designed to handle the low-level malicious background radiation that occurs all the time on the Internet: automated systems looking for things to crack into, old malware hoping that someone will click with their anti-virus software turned off and so on. Many enterprises don’t even have the resources to look at their IPS logs thoroughly because doing so creates a constant workload of addressing unknowns: Is this attacker real, or is this just someone trying to guess passwords randomly? Does this alert mean anything or not?

The constant attack load across common vectors is a known: It happens all the time, and it happens to everyone. It’s the reason that IT shops buy off-the-shelf products as a first layer for defense. But when the stakes are high enough, attackers take unique paths and craft custom tools, and there is no simple off-the-shelf solution to these threats. Social engineering and plain dumb luck are the bullets that have hit home, time after time, when attackers carefully and quietly aim at specific targets.

The Many Motivations of Cybercriminals

The trend might not be new, but more IT managers are becoming aware that they don’t have to be a bank or a Defense Department site to become a target. Cybercriminals have many motivations — commercial, political, personal — for their targets, and it’s becoming quite clear that no one is too insignificant or too obscure to be a target.

For example, when the Syrian Electronic Army wanted to hack The Onion website in early 2013, they first went after a series of completely unrelated nongovernmental organizations, in the hopes of finding a user to hack who’s identity would be in a trusted relationship with their final target — a strategy that proved very successful.

If everyone is a potential target, then what are the best security strategies to thwart such attacks? The two most important are good logging and log analysis tools, followed by data loss prevention (DLP) systems.

For many intrusions, logs provide critical clues and evidence. As IT managers drown in a sea of logs, it can be tempting to disable or discard information. Although log analysis tools may not be able to spot an attack in progress, they are useful in alerting IT teams to unusual patterns.

When an incident is discovered, good logs help to piece together what happened and to understand the extent of the damage done. For many organizations, knowing that an intrusion occurred is not nearly as useful as knowing what happened during the intrusion — what information was stolen and what actions the intruder took.